Botnets Powering Cyber Reconnaissance at Scale for Hackers

Google and other search engines have always been a valuable tool for hackers to search out new targets and hunt down sensitive data hidden in all corners of the Web. While using search engines as a tool is not new to cybercriminals, Imperva, a provider of data security solutions, today highlighted recent research on how hackers are leveraging botnets to bypass search engine query limits and conceal their identity while building large lists of potential targets of attack.

Through “Google Hacking,” cybercriminals can use a Web browser and specially crafted search queries (often referred to as “Dorks”) to identify potential attack targets and determine what security holes may exist on servers that could be possibly exploited. Using automation, cybercriminals can execute high volumes search queries and result processing, enabling them to conduct cyber reconnaissance on a massive scale. In fact, during a recent observation period in May and June 2011, Imperva observed a specific botnet attack on a popular search engine conducting cyber attack intelligence queries at a rate up to 81,000 per day.

What do these search queries (Dorks) look for?

Search engines can be used by attackers in multiple ways, from discovering sensitive files and folders mistakenly put online, to collecting network intelligence from exposed logs and detecting unprotected networked devices and Web applications. While observing the attack that reached 81,000 search queries per day, Imperva noticed that most of the Dorks used were searching for Content Management Systems and e-commerce applications, many which contain known security vulnerabilities that can be easily exploited. Using special search terms, hackers can correlate page elements such a “powered by” or specific error messages that can help them identify what platforms and applications a Web server may be running—thus helping them identify how such resources could possibly be compromised. Due to the fact that many e-commerce systems store financial information about customers, a successful attack on such a site can be immediately monetized. (Some examples are included in the grid below)

The tools used automate the use of dorks range from desktop tools to simple web-based services. Some tools automate just the collection of targets and others automate the construction of exploit vector and the attack itself, Imperva notes.

“Hackers have become experts at using Google to create a map of hackable targets on the Web. This cyber reconnaissance allows hackers to be more productive when it comes to targeting attacks which may lead to contaminated web sites, data theft, data modification, or even a compromise of company servers,” explained Imperva's CTO, Amachai Shulman. "These attacks highlight that search engine providers are need to do more to prevent attackers from taking advantage of their platforms.”

For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.